Hi Clinton,

is it possible, that you switch to the crypt passwords in the ldap server ? (you will be asked for this if you run the idsconfig script) Than you don't have to change anything in the pam configuraiton - the pam_unix will use the ldap server as an kind of "passwd" datastore and read the passwd attribute of the user and check it against the input of the user. Because of the "difficulties" with changes in the pam configuration I always prefer this setup.

 Thore


Propst, Clinton W CTR USAF AMC 375 CSPTS/SCO schrieb:
Thanks for the info.  Great info on pam_ldap.  I was not aware of that
man page.
No luck after inserting the pam_ldap module "after dtlogin-sunray
password" or "dtsession-sunray" section.  The Sun Ray Server never looks
for objectclass=shadow during ldap search.

Any ideas?  Thanks.


-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Lars Tunkrans
Sent: Thursday, September 18, 2008 1:38 PM
To: SunRay-Users mailing list
Subject: Re: [SunRay-Users] FW: SunRay-Users ldap authentication failing

Hi Your problem is that you have not implemented LDAP Pam modules in the " dtlogin-sunray password " section. nor in the " dtsession-sunray " section

  The Manual  for Pam_ldap   is rather explicit  in what you need to do.
For each of your Authentication - types you need to implement all of the below Example 1 from the pam_ldap(5) manual page. Then again I have numerous times pointed out that there is need for a

/etc/PAM_LDAP.CONF example file to be included in the Solaris distribution
  and the SRS distribution.



 Example 1 Using pam_ldap With Authentication

     The following is a configuration for the login service  when
     using  pam_ldap.  The  service name login can be substituted
     for any other authentication service such as dtlogin or  su.
     Lines  that  begin  with  the  # symbol are comments and are
     ignored.

       # Authentication management for login service is stacked.
       # If pam_unix_auth succeeds, pam_ldap is not invoked.
       # The control flag "binding" provides a local overriding
       # remote (LDAP) control. The "server_policy" option is used
       # to tell pam_unix_auth.so.1 to ignore the LDAP users.

       login   auth requisite  pam_authtok_get.so.1
       login   auth required   pam_dhkeys.so.1
       login   auth required   pam_unix_cred.so.1
       login   auth binding    pam_unix_auth.so.1 server_policy
       login   auth required   pam_ldap.so.1

     Example 2 Using pam_ldap With Account Management

     The following is a configuration for account management when
     using  pam_ldap. Lines that begin with the # symbol are com-
     ments and are ignored.

       # Account management for all services is stacked
       # If pam_unix_account succeeds, pam_ldap is not invoked.
       # The control flag "binding" provides a local overriding
       # remote (LDAP) control. The "server_policy" option is used
       # to tell pam_unix_account.so.1 to ignore the LDAP users.

       other   account  requisite      pam_roles.so.1
       other   account  binding        pam_unix_account.so.1
server_policy
       other   account  required       pam_ldap.so.1

SunOS 5.11          Last change: 21 Dec 2005                    4

Standards, Environments, and Macros                   pam_ldap(5)

     Example 3 Using pam_authtok_store With  Password  Management
     For Both Local and LDAP Accounts

     The following is a  configuration  for  password  management
     when  using  pam_authtok_store.  Lines that begin with the #
     symbol are comments and are ignored.

       # Password management (authentication)
       # The control flag "binding" provides a local overriding
       # remote (LDAP) control. The server_policy option is used
       # to tell pam_passwd_auth.so.1 to ignore the LDAP users.

       passwd  auth binding  pam_passwd_auth.so.1 server_policy
       passwd  auth required pam_ldap.so.1

       # Password management (updates)
       # This updates passwords stored both in the local /etc
       # files and in the LDAP directory. The "server_policy"
       # option is used to tell pam_authtok_store to
       # follow the LDAP server's policy when updating
       # passwords stored in the LDAP directory

       other password required   pam_dhkeys.so.1
       other password requisite  pam_authtok_get.so.1
       other password requisite  pam_authtok_check.so.1
       other password required   pam_authtok_store.so.1 server_policy










Propst, Clinton W CTR USAF AMC 375 CSPTS/SCO skrev:
Hi All,

I have configured SRSS (4.0 patch 127553-02) for ldap using
"ldapclient
init ...".  SSH and su work fine using ldap for authentication, but
Sun
Ray users are unable to login.  Receive "Login incorrect".  Below is
the
pam.conf and ldap log. We are using Sun Java Directory Server 6.3.
Another error (attached below) that is related to ldap occurs during
reboot.  The Sun Ray services cannot bind to the Sun Ray Data Store.
Can I configure the Sun Ray server as an ldap client or will it mess
up
the Sun Ray Data Store connection? Any and all help greatly appreciated. Thanks in advance.
Clinton

Pam.conf

# added to dtlogin-SunRay by SunRay Server Software -- dtlogin-SunRay

dtlogin-SunRay auth sufficient /opt/SUNWut/lib/pam_sunray.so

dtlogin-SunRay auth requisite /opt/SUNWut/lib/sunray_get_user.so.1
property=username

dtlogin-SunRay auth required /opt/SUNWut/lib/pam_sunray_amgh.so.1

dtlogin-SunRay auth requisite /opt/SUNWut/lib/sunray_get_user.so.1
prompt

dtlogin-SunRay auth required /opt/SUNWut/lib/pam_sunray_amgh.so.1
clearuser

dtlogin-SunRay auth requisite pam_authtok_get.so.1 dtlogin-SunRay auth required pam_dhkeys.so.1 dtlogin-SunRay auth required pam_unix_cred.so.1
dtlogin-SunRay auth binding pam_unix_auth.so.1 server_policy

dtlogin-SunRay auth required pam_ldap.so.1
dtlogin-SunRay account sufficient /opt/SUNWut/lib/pam_sunray.so

dtlogin-SunRay account requisite pam_roles.so.1 dtlogin-SunRay account binding pam_unix_account.so.1 server_policy dtlogin-SunRay account required pam_ldap.so.1 dtlogin-SunRay session required pam_unix_session.so.1 dtlogin-SunRay password required pam_dhkeys.so.1 dtlogin-SunRay password requisite pam_authtok_get.so.1 dtlogin-SunRay password requisite pam_authtok_check.so.1
dtlogin-SunRay password required pam_authtok_store.so.1

# added to dtsession-SunRay by SunRay Server Software --
dtsession-SunRay

dtsession-SunRay auth sufficient /opt/SUNWut/lib/pam_sunray.so
syncondisplay

dtsession-SunRay auth requisite pam_authtok_get.so.1 dtsession-SunRay auth required pam_dhkeys.so.1 dtsession-SunRay auth required pam_unix_cred.so.1 dtsession-SunRay auth sufficient pam_unix_auth.so.1 dtsession-SunRay account requisite pam_roles.so.1 dtsession-SunRay account sufficient pam_unix_account.so.1 dtsession-SunRay session required pam_unix_session.so.1 dtsession-SunRay password required pam_dhkeys.so.1 dtsession-SunRay password requisite pam_authtok_get.so.1 dtsession-SunRay password requisite pam_authtok_check.so.1 dtsession-SunRay password required pam_authtok_store.so.1
Sun Java Directory Server 6.3 log:

[11/Sep/2008:18:40:49 +0000] conn=1372 op=-1 msgId=-1 - fd=69 slot=69
LDAP connection from 134.221.19.22:33063 to 134.221.19.36

[11/Sep/2008:18:40:49 +0000] conn=1372 op=0 msgId=1 - BIND
dn="cn=proxyagent,ou=profile,dc=users,dc=market,dc=hr,dc=usda,dc=gov"
method=128 version=3

[11/Sep/2008:18:40:49 +0000] conn=1372 op=0 msgId=1 - RESULT err=0
tag=97 nentries=0 etime=0
dn="cn=proxyagent,ou=profile,dc=users,dc=market,dc=hr,dc=usda,dc=gov"

[11/Sep/2008:18:40:49 +0000] conn=1372 op=1 msgId=2 - SRCH
base="ou=people,dc=users,dc=market,dc=hr,dc=usda,dc=gov" scope=2
filter="(&(objectClass=posixAccount)(uid=clinton.propst))" attrs=ALL

[11/Sep/2008:18:40:49 +0000] conn=1372 op=1 msgId=2 - RESULT err=0
tag=101 nentries=1 etime=0

[11/Sep/2008:18:40:49 +0000] conn=1373 op=-1 msgId=-1 - fd=71 slot=71
LDAP connection from 134.221.19.22:33064 to 134.221.19.36

[11/Sep/2008:18:40:49 +0000] conn=1373 op=0 msgId=1 - BIND

dn="uid=clinton.propst,ou=People,dc=users,dc=market,dc=hr,dc=usda,dc=gov
" method=128 version=3

[11/Sep/2008:18:40:49 +0000] conn=1373 op=0 msgId=1 - RESULT err=0
tag=97 nentries=0 etime=0

dn="uid=clinton.propst,ou=people,dc=users,dc=market,dc=hr,dc=usda,dc=gov
"

[11/Sep/2008:18:40:52 +0000] conn=1020 op=507 msgId=508 - SRCH
base="ou=people,dc=users,dc=market,dc=hr,dc=usda,dc=gov" scope=2
filter="(&(objectClass=posixAccount)(uidNumber=1201))" attrs="cn uid
uidNumber gidNumber gecos description homeDirectory loginShell"

[11/Sep/2008:18:40:52 +0000] conn=1020 op=507 msgId=508 - RESULT err=0
tag=101 nentries=1 etime=0

[11/Sep/2008:18:40:53 +0000] conn=1372 op=2 msgId=3 - UNBIND

[11/Sep/2008:18:40:53 +0000] conn=1372 op=2 msgId=-1 - closing from
134.221.19.22:33063 - U1 - Connection closed by unbind client -

[11/Sep/2008:18:40:53 +0000] conn=1373 op=1 msgId=2 - UNBIND

[11/Sep/2008:18:40:53 +0000] conn=1373 op=1 msgId=-1 - closing from
134.221.19.22:33064 - U1 - Connection closed by unbind client -

[11/Sep/2008:18:40:53 +0000] conn=1372 op=-1 msgId=-1 - closed.

[11/Sep/2008:18:40:54 +0000] conn=1373 op=-1 msgId=-1 - closed.

Sun Ray Server /var/adm/messages during boot with ldap client
configured:

Sep 11 13:38:35 sraysvr rpcbind: [ID 564983 daemon.error] rpcbind
terminating on signal.

Sep 11 13:38:40 sraysvr utdevadm[19113]: [ID 702911 user.info]
open_connection(): Could not bind to DS server sraysvr - Can't connect
to the LDAP server

Sep 11 13:40:40 sraysvr utdevadm[1043]: [ID 702911 user.info]
open_connection(): Could not bind to DS server sraysvr - Can't contact
LDAP server

Sep 11 13:40:40 sraysvr utpulld[997]: [ID 224068 daemon.error] Error:
ldap_sasl_bind (host localhost, DN cn=admin,o=utdata) returned: Can't
contact LDAP server

Sep 11 13:40:40 sraysvr utpulld[997]: [ID 254794 daemon.error] Failed
to
bind to cn=admin,o=utdata on local utdsd: Can't contact LDAP server

Sep 11 13:40:44 sraysvr utglpolicy[1151]: [ID 702911 user.info]
open_connection(): Could not bind to DS server sraysvr - Can't connect
to the LDAP server

Sep 11 13:40:49 sraysvr utauthd: [ID 702911 user.info]
open_connection(): Could not bind to DS server sraysvr - Can't connect
to the LDAP server

Sep 11 13:41:11 sraysvr dtlogin[1197]: [ID 293258 user.error]
libsldap:
Status: 49  Mesg: openConnection: simple bind failed - Invalid
credentials

Sep 11 15:27:02 sraysvr ldapclient[9418]: [ID 293258 user.warning]
libsldap: Status: 0  Mesg: NULL or invalid proxy bind DN

Sep 11 15:28:07 sraysvr ldapclient[9496]: [ID 293258 user.warning]
libsldap: Status: 0  Mesg: NULL or invalid proxy bind DN


_______________________________________________
SunRay-Users mailing list
[email protected]
http://www.filibeto.org/mailman/listinfo/sunray-users

_______________________________________________
SunRay-Users mailing list
[email protected]
http://www.filibeto.org/mailman/listinfo/sunray-users

_______________________________________________
SunRay-Users mailing list
[email protected]
http://www.filibeto.org/mailman/listinfo/sunray-users


--

oraise GmbH
Haferwende 10a
28357 Bremen
Tel.:  +49 (0) 421 3355 368
Fax:   +49 (0) 421 3355 355
Mobil: +49 (0) 151 12542976
www.oraise.de
[EMAIL PROTECTED]

oraise GmbH
Registergericht
AG Bremen HRB 17491
Geschäftsführer:
Markus Hengstenberg | Dieter Rahn | Thomas Viohl

oraise Beteiligungs- und
Verwaltungs GmbH & Co. KG
Registergericht
AG Bremen HRA 24070
Geschäftsführer:
Markus Hengstenberg | Günter Penczek


_______________________________________________
SunRay-Users mailing list
[email protected]
http://www.filibeto.org/mailman/listinfo/sunray-users

Reply via email to